question

Bart E. avatar image
Bart E. asked ·

How to tell which SAP system uses what cipher (SNC)?

We have many systems using SAP SNC. All SPN's are added to keytab files and in general this is working fine. Some clients seems to use an unsupported cipher (DH), but how to find out for which SAP SID or users use an unsupported cipher?

Output from sncdecr status:

Cipher suite diagnostic:

Well know ciphers:

010000010000010102020201=172

010000010000010202020201=446247

Unknown ciphers:

0101000900004000=1 (Diffie-Hellman)

Well know mechanisms:

OID=1.3.36.3.1.37.1 ref=446546

Unknown mechanisms:

I cannot find any solution on the probe or in the reports for this. Any suggestion anyone?

namnam probesap
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Kris Z. avatar image
Kris Z. answered ·

Hi Bart,

If router is involved, that's not possible with the current version. But it will be possible in one of upcoming updates to release 2019 (yes we plan updates already, even though 2019 GA is a month away:-)

In the mean time, you may open a Support call with this request, development may be able to provide you with a custom AMD build with that new feature added for testing/debug in your environment (assuming AMDs you have are not too old).

Best regards

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Kris Z. avatar image
Kris Z. answered ·

"find out which SAP SID or users use an unsupported cipher" is catch-22: you can't get to know SID and user name without decryption.

Use "sncdecr status alll" to get more information on servers for which DH is enabled. Since encryption is typically configure per server, that should suffice.

Hope this helps

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Bart E. avatar image
Bart E. answered ·

The difficulty is that we are using a SAP Router. Meaning all traffic is to one server only, so I am unable to tell the difference from the "sncdecr status all" command.

I was hoping there would be a way to identify the user or client IP address that is using the unsupported cipher. Would that be possible you think?

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Bart E. avatar image
Bart E. answered ·

Thanks Kris. Great to hear that it will be available in the 2019 updates. I'll check with support to see if we can get a custom build. Our AMD is fully up-to-date :)

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.